Skip to main content

Decrypting within a Lit Action

Overview

Decryption with Lit can be performed either client-side by an authorized user or within a Lit Action.

Using decryption within a Lit Action is useful for performing operations over sensitive data, where the data itself remains private within the confines of each Lit node's Trusted Execution Environment (TEE). You can learn more about Lit's architecture here.

Lit Actions have two methods for decrypting data: decryptToSingleNode and decryptAndCombine.

As the name implies, decryptToSingleNode will request the signature shares from all the Lit node in the network and will combine them only within a single Lit node. This means the fully decrypted data will only exist within a single Lit node's TEE.

decryptAndCombine runs on every Lit node in the network, requesting signature shares from all the other nodes and combining them within each Lit node's TEE. This means the fully decrypted data will exist within all the Lit nodes TEE, and an error will be thrown by the network if the Lit nodes do not reach consensus on the decrypted data.

When decryptToSingleNode is used, the execution scope being reduced to a single Lit node means that any behavior that requires multiple nodes (i.e. console logs, signAndCombineEcdsa) will encounter a timeout error.

The following example demonstrates how to encrypt an API key client-side, then decrypt and use it within a Lit Action to query the block number on Base.

Prerequsites

Complete Code Example

The complete code example is available in the Lit Developer Guides Code Repository.

Example Lit Action

The decryptAndCombine function uses the accessControlConditions to specify who and under what conditions the data can be decrypted. The ciphertext and dataToEncryptHash are the encrypted data and the hash of the data that was encrypted.

We set the authSig to null as a way to tell the Lit Action runtime to use the authSig which was provided to the node when executeJs was called; The AuthSig is sourced from the session signatures.

Then our decrypted API key is used to query the blocknumber on Base.

const _litActionCode = async () => {
  try {
    const apiKey = await Lit.Actions.decryptAndCombine({
      accessControlConditions,
      ciphertext,
      dataToEncryptHash,
      authSig: null,
      chain: "ethereum",
    });

    const fullUrl = url + apiKey;

    const resp = await fetch(fullUrl, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        jsonrpc: "2.0",
        id: 1,
        method: "eth_blockNumber",
        params: [],
      }),
    });

    let data = await resp.json();

    if (data.result) {
      data.result = parseInt(data.result, 16);
    }

    Lit.Actions.setResponse({ response: JSON.stringify(data) });
  } catch (e) {
    Lit.Actions.setResponse({ response: e.message });
  }
};

export const litActionCode = `(${_litActionCode.toString()})();`;

Summary

This guide demonstrates how to use Lit Actions to decrypt data within a Lit Action.

If you'd like to learn more about Lit Actions, check out the Lit Actions SDK, or our Advanced Topics section on Lit Actions.